6 Corporate Governance
This guidance note is specifically in respect of the regulatory principle under paragraph 6 of Schedule 2 of the DLT Regulations (the Regulatory Principle).
The Regulatory Principle states that “A DLT Provider must have effective corporate governance arrangements
This document should be read as an interpretative guidance for a DLT Provider and the examples contained in this document should be noted as indicative of good practice by a DLT Provider in connection with the Regulatory Principle.
A DLT Provider should note that the GFSC will take this document into account when reviewing a DLT Provider’s practices. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider’s business.
A DLT Provider will need to implement and maintain good corporate governance arrangements which will establish the system by which firms are run and business overseen, including its structure, processes, culture and strategies. It will establish the rules by which authority is exercised and decisions taken and implemented to manage all risk types and exposures.
A DLT Provider will need to deliver and maintain a corporate culture consistent with the secure and confident delivery of the Regulatory Principles.
Board Structure and Size
A DLT Provider should act through an effective board of directors, which is
collectively responsible for the success and obligations of the company. The board should have the appropriate balance of skills, experience, independence and knowledge of the business industry to enable them to discharge their respective duties and responsibilities effectively. This should include
the qualities and application necessary to decide, formulate and implement strategic and day-to-day policies.
A DLT Provider should ensure that its directors collectively possess the necessary skills, experience and knowledge in respect of at least the following matters:
- the technical and operational aspects of the DLT Provider;
- the markets in which the DLT Provider will operate;
- the DLT Provider’s business strategy and business model;
- the DLT Provider’s system of governance; and
- the regulatory framework and requirements.
The directors must have sufficient experience and knowledge of the business and
the necessary authority to detect and deal with any imprudence, dishonesty and/or other irregularities in a DLT Provider.
The number of individuals who sit on the board should be commensurate to the
size and nature of the business provided always that this number shall not be less than two. Subject to the minimum number of required directors, the board should be of sufficient size that the requirements of the business can be met and the business of a DLT Provider may be duly and properly discharged. In addition, the composition of
a DLT Provider’s board should allow for changes to the board’s composition to be managed without undue disruption. All directors should be able to allocate sufficient time to a DLT Provider to discharge their respective responsibilities fully and effectively.
The directors shall deliberate all matters relating to a DLT Provider’s business to procure that a proper assessment of the relevant considerations and risks are carried out.
A DLT Provider shall hold regular board meetings with a pre-arranged agenda
including proper reports from management of a nature appropriate to a DLT Provider’s size and type of business.
Mind and Management
The GFSC has established criteria for Mind and Management that all applicants,
including a DLT Provider, must satisfy.
A DLT Provider must ensure that the Mind and Management of the business is
conducted from its office in Gibraltar, and that the firm can evidence this. Where firms provide services to customers in jurisdictions outside Gibraltar, the firm should be able to continue to demonstrate that its Gibraltar office complies with the GFSC’s Mind and Management requirements.
The GFSC will consider the said criteria when assessing the extent to which an
applicant has complied (or ought to comply) with this document taking into account the particular circumstances of a DLT Provider and its business model.
Four Eyes Principle
There is an overriding requirement for two designated individuals of a DLT Provider who are residents of Gibraltar to carefully review and consider all aspects of the business of the DLT Provider at all times to minimise the risk of error, poor judgement and/or oversight; and to ensure prudent consideration of all matters relevant to the operations of the DLT Provider’s business. A DLT Provider will be required to have
regard to the Four Eyes Principles established by the GFSC.
A DLT Provider should take all reasonable steps, including the establishment and maintenance of appropriate systems, processes and procedures, to ensure that its
officers, employees and other representatives are aware of their obligations, and that they act in conformity with them.
A DLT Provider should designate an appropriately skilled and experienced person
as its compliance officer. The DLT Provider may delegate the compliance function to a third-party service provider provided the standards of the delegate and the requirement for oversight set out below are satisfied. The DLT Provider will retain ultimate responsibility for the function.
A DLT Provider will be requested to provide the regulator with an annual
statement of compliance in respect of their ongoing responsibilities.
There is no specific requirement for a DLT Provider to have their technology or
servers physically located in Gibraltar; and similarly, a DLT Provider will not ordinarily be required to have their intellectual property held in Gibraltar as this may be held by an affiliate company outside Gibraltar.
A DLT Provider will be able to use cloud services to host their business platforms and this can be outsourced to reputable and secure cloud service providers locally or outside Gibraltar so long as the DLT Provider can demonstrate it has access to and adequate oversight over cloud storage and processing.
A DLT Provider should ensure that it has access to all relevant records, and can provide access to the GFSC on demand, at all times and have arrangements in place in the event of failure of primary record storage systems.
A DLT Provider’s board should provide a report to the GFSC on an annual basis
to address any notable matters that have arisen in the past year, including but not limited to:
- governance issues;
- customer complaints;
- systems failures or attacks;
- business interruptions;
- significant business challenges; and
- any business systemic or industry risks and how these issues have been or are being addressed.
The report should address how a DLT Provider’s business is doing generally, whether the volume of the business is increasing or decreasing and what effect this may be having on the DLT Provider.
Relationship with Regulator
A DLT Provider will need to have an open, cooperative and transparent relationship with the GFSC and other regulators and must disclose to them any matter of which the regulator would reasonably expect notice.
A DLT Provider will need to notify the GFSC of any proposed changes to their shareholding structure, directorship and/or any material changes and/or risks to the business at the earliest possible opportunity, including but not limited to, any changes that ought reasonably to have formed part of a DLT Provider’s application.
A DLT Provider’s board should set the company’s values and standards and ensure
that its obligations to its shareholders and others are understood and met.
A DLT Provider should clearly designate responsibilities to individual
directors within the DLT Provider. Such responsibilities should include functions relating to the DLT Provider’s business and ongoing compliance with regulatory requirements. A DLT Provider may wish to establish a committee consisting of specific directors to whom certain functions/oversight shall be designated.
Any decisions taken by a DLT Provider’s board which may materially affect the
DLT Provider’s business and, or the DLT Provider’s compliance with its regulatory requirements should be appropriately documented.
A DLT Provider may consider it necessary and appropriate, to appoint
individuals as non-executive directors. Should a DLT Provider wish to do so, it should apply a detailed and specific procedure for such appointments. Non-executive directors should be kept fully abreast of the DLT Provider’s business in order to allow them to participate in any relevant decision making processes diligently and in accordance with
the non-executive director’s duties to the DLT Provider.
A DLT Provider may outsource certain services and, if the DLT Provider wishes to do so, it should apply fit and proper procedures in assessing that service provider’s ability to perform the required obligations. A DLT Provider should designate a director within the company to have overall responsibility for any outsourced function. The designated director will need to possess sufficient knowledge and experience regarding the outsourced function to be able to challenge the performance and results of the service provider.
A DLT Provider may also outsource certain services to affiliate companies within their group structure. The entity responsible for fulfilling the governance requirements at group level should document which functions relate to which legal entity within the corporate group structure and ensure that the performance of the key functions is not impaired by such arrangements.
A DLT Provider will retain ultimate responsibility for any outsourced functions. Further information on the GFSC’s expectations around outsourcing can be found here.